A shocking bit of Facebook news hit the rumor mills this week, when it was discovered that the social site was saving mobile users’ contact lists. There was surprise, disbelief, horror and outrage, prompting numerous articles and a backlash of user reactions from all over the web.

But is this as big a deal as some make it out to be? After all, if you believe Facebook, they’re not out to distribute your information behind your back. In fact, they promise that the info they give to advertisers is anonymous, and they ask for permission via acceptance of their terms, as well as offer a way for people to limit or shut off this feature.

On the surface of it, it seems like the company is doing all the right things. But since it’s the biggest social network in the world — gatekeepers of the most intimate and personal details of the web-using population — the situation merits more than just a quick skim and a glance.

So let’s dive in and take a closer look at this.

Company says, “Don’t be freaked.”

Responding swiftly on its Wall, Facebook tried to squash the issue before it spun further out of control:

“Rumors claiming that your phone contacts are visible to everyone on Facebook are false. Our Contacts list, formerly called Phonebook, has existed for a long time. The phone numbers listed there were either added by your friends themselves and made visible to you, or you have previously synced your phone contacts with Facebook. Just like on your phone, only you can see these numbers.”

Frankly, I was surprised but not freaked out. After all, the company said they don’t make the data public. And I sync my addressbook to Google’s Gmail Contacts and use the Dragon dictation app, which dips into my contacts list so it knows when I utter a friend’s name. So, I wondered, is this really all that different?

More intrigued than anything else, I started perusing my Facebook contacts list. And that’s when I spotted something interesting — phone numbers from people who definitely never gave them to me.

Facebook says that some of the numbers were “added by your friends themselves and made visible to you.” But there’s little chance that any of these people specifically singled me out to receive their phone numbers. More likely, they either set (or failed to change) a privacy setting allowing one of three options: Data is viewable by everyone, just your direct friends, or a pool of your friends and their friends.

And that might be the real issue here: Those pesky settings.

Wait — is this a trap?

When Facebook got called out for privacy concerns in the past, they wound up giving users access to a bevy of controls to manage how and what they shared. Sounds great, except that unless you choose one of the canned options (to share all of your data with one of the three aforementioned groups), you have to parse 20+ other settings.

There’s no easy way to customize these. You can’t simply run down a list, checking boxes. No, you’ve got to go into each one and set them individually — that is, if you can even find them. They’re buried in a subpage (or two) under Privacy Preferences, which itself resides in a drop-down menu under “Accounts.” And we haven’t even talked about the numerous other settings, like “Security,” “Applications,” and “Mobile,” all of which seem like they could be hiding something that might relate to this issue.

Klunky, isn’t it? No wonder some unwitting people are so boggled by this that they don’t even realize how they’re sharing their data.

The striking thing here is the way contact syncing gets turned on to begin with: Launch a Facebook mobile app and click to allow. That’s it, that’s all there is to it. And that’s the problem. This is infinitely easier to turn on than shut off or adjust. And that’s what makes this whole scenario come off like some sort of trap.

Okay, the data goes to Facebook. (Just to match up contacts or what?) Now, where's the part about Facebook storing the data on its servers until the user manually deletes it?


The wrinkle here is that not all versions of the app put out this notice, and there are plenty of users from across the webs who say they’ve never synced their mobile’s addressbook with Facebook, but still see all their contacts stored on its servers.

What a mess. And what’s worse is that the end users — you, your little brother, your mom, and your aunt, uncle and grandparents — are the ones expected to handle all this.

As Facebook said, contacts syncing has been around for a long time. And it is inextricably linked to those privacy settings, which we’ve also had for a while now. In other words, there has been plenty of time to address this beastly, clustered mess and make it something transparent and easy to use. But the company seems to ignores this, instead focusing on Messaging, Games and other initiatives.

That’s just great. More settings to add to the mix. That will surely help things.

Do you trust Facebook?

Technically, Facebook does mention contacts syncing in at least some of their mobile terms. And technically, they do give people the ability to turn it off, which isn’t actually that hard to do — but only if (a) you know how, and (b) you can find where to do it. But good luck with all that, since any guidance from Facebook is also not very obvious. (To make this easier, we put some guidance for you below, at the bottom.)

There’s only one word that springs to mind here: Obfuscation. It’s like they’re hiding things in plain sight.

And here’s the kicker: Now that people have caught on to this, the company’s asking us to trust that it won’t do anything sneaky with the data — the same data that too many people didn’t even realize they were sharing.

Or maybe the real kicker is that, this same week that the topic blew up, Facebook honcho Mark Zuckerberg called out a company called Chill for auto-posting on users’ walls without their consent.

You've got to be kidding me, Zuck. "Uh hello, Kettle? This is Pot..."

Actually Chill does ask for consent, but it still killed the auto-posts anyway due to public outrage — a tactic Facebook would never even consider.

In the end, it boils down to this: Do you trust Facebook? Even if you don’t think they’re trying to pull a Big Brother move on you intentionally, do you believe them when they say the data’s not public, and that advertisers only get anonymized, aggregated information? Tell us if you think this is just a small kerfluffel that got blown way out of proportion, or a shady maneuver that has left you confused, upset and appalled.


EPILOGUE: How to tame those settings. Out of curiosity, I popped onto a friend’s account and saw that my Google Voice phone number showed up in his contacts list. This is no big deal, since he’s my pal, but I know I never gave those GV digits to him. (He uses my private line.) That’s when I realized how many people were potentially running around with my info on their phones. Like most people, I have acquaintances who seem nice enough (certainly not serial killers or stalkers) whose friend requests I had accepted. Do all of them have access to my info? And would one hack or stolen handset among those hundreds open up a heapin’ mess o’ trouble for me? Suddenly, a cold shiver went down my back.

I am far from alone. A coder named Tom Scott even made a Web app called “Evil” that shows random, anonymized phone numbers of Facebook users who have unwittingly shared their contact info. (So much for not allowing the data to go public.)

You can shut down this circus sideshow of data infiltration by stopping the Facebook Contacts Importer here. That keeps your phone contacts from being brought into your Facebook account. But just because you do that doesn’t mean all your friends will, so I highly recommend going into those privacy prefs and removing all access to your own phone number, as well as e-mail addresses and other sensitive info (which is what I did).

When you’re done, be sure to pop on over to our “How to Configure Facebook Privacy Settings” post, which offers more tips on handling your Facebook privacy settings. Then tell everyone you know who cares about keeping their info private to do the same — after you pick them up off the floor, that is.